hxxp://google[.]com

Resubmissions

25-09-2024 06:43

240925-hg3jea1bjr 10

25-09-2024 06:38

240925-hehffszhrl 10

25-09-2024 06:33

240925-ha9zxazglk 6

Analysis

max time kernel
239s
max time network
241s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 06:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Annabelle.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Annabelle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

Annabelle.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

NetSh.exe

pid	Process
1568	NetSh.exe

Executes dropped EXE 1 IoCs

Processes:

Annabelle.exe

pid	Process
5548	Annabelle.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Annabelle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	Annabelle.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Annabelle.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
3	raw.githubusercontent.com
49	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid	Process
4760	vssadmin.exe
5812	vssadmin.exe
5796	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717199431993422"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "132"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe

Modifies registry class 3 IoCs

Processes:

MiniSearchHost.exechrome.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{82A9E449-B934-4878-8210-4E680183EC31}	chrome.exe

NTFS ADS 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
1764	chrome.exe
1764	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe
3644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	Process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe
Token: SeShutdownPrivilege	1764	chrome.exe
Token: SeCreatePagefilePrivilege	1764	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

chrome.exe

pid	Process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe
1764	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniSearchHost.exeLogonUI.exe

pid	Process
3704	MiniSearchHost.exe
5388	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1764 wrote to memory of 1160	1764	chrome.exe	77
PID 1764 wrote to memory of 1160	1764	chrome.exe	77
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1204	1764	chrome.exe	78
PID 1764 wrote to memory of 1508	1764	chrome.exe	79
PID 1764 wrote to memory of 1508	1764	chrome.exe	79
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80
PID 1764 wrote to memory of 2772	1764	chrome.exe	80

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7c96cc40,0x7ffa7c96cc4c,0x7ffa7c96cc58
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2228,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1768,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1956,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3008,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3020,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4064,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3528,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4616,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=1040,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5260,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5696,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5840,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5980,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5828,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6236,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5736,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4552,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6228,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5972,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6428,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6500,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6560,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6576,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5508,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6620,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7032 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6608,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7176 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7024,i,15049323205908934102,15168955431588219879,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2084
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:5548
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4760
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5796
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5812
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1568
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:4520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4532

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fba5e34cbf6621554e3b8420972684cc

SHA1
3b7ec6b5a54e90fe50eb34bc60748930c0b19215

SHA256
a584187b0b40d45c4f2ea3df3e00c7c9b5038bff3b07de6b44ee45d9ff285c30

SHA512
b1060e66ca909c51719cd6b3a0ccf1342894a6aa4366cc88ff93522c65207341bd8826d4f57f4c0f121017f99a17474a3baf36743e850e12495cb162e9adc776

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
72KB

MD5
bf168b8ee29e8a9290aa60752a429516

SHA1
ad7b51c81f8045fdee9943fa4c23e14e6d0ba110

SHA256
11da5080b2b7bb2780e0db5bfa8015d08abb07c9c0e79d9bc6b3cc016302b96c

SHA512
7fa69369757f27bb5c7fb668ac9317a9cd460b701823b88d7a71e3ce8265fb8ac55a12d0e6cbdfe5d6871917220593aa0953f6ea8697bd65e6afdfbbdd38e57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000033

Filesize
47KB

MD5
d68e16f4b1c4ac2ba25a3832816a9a73

SHA1
483d682342aea24ed78443e09a4f9e1e4e7bee3a

SHA256
7a3b1646e73713640dabfc22a14a07dc2f0e3eedce783f1312552286104fed77

SHA512
67810d66daec6198445c431bf0b7eb1b78e8a3f92fd303ce342e6d7efe59c061283dbf7d7281fbc11416097022d365698b1f0cbef22672d09d0bc736a3535e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
605KB

MD5
4dee9994f5847adf284d8727c6109b61

SHA1
b6a2cec46baf82da9c8ac7c8ffec6f75dfdb7e7c

SHA256
e81ca154c634f1d8e56580995718ec7c34fc4b45b61c36805ea347040d124e64

SHA512
96b56c04b315927ebf5c0d780ca6d94ec0a8e8544cf9c01f74540e22e9ede882b00c2d73de6b04c6c2ee7233524688c8fa19c3caccc9a55d8073aaf110607fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000038

Filesize
33KB

MD5
28f28f9ab8d8a15c7b15246b77b413b1

SHA1
74a0bd96dbfb39c19f1ef6399f1a6adc1de5de20

SHA256
04f73e0d2c136265f4c9b50f2e619414c156ead2a5181ce84739922b6c9fad4d

SHA512
d63b7474ebb3a6629c4e20407c0c379e194cb71d12f1047219c072bb2450308fc7447efa450968cfc520e6acb456bfedb8b83162e9367efdbcf49787cfb1d466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000039

Filesize
24KB

MD5
8f9e63677e24099ca96ec098895cb780

SHA1
499997872c0fd43e415cfd177672cc93640e35d1

SHA256
eedfdc730b1bf11e9bf684f0b074fae5eb189688615154e7a26c1d3a4469619a

SHA512
864c6ae186f0c8793bc384657e8622106909450475c89579391f5efaa34abfbaad864dff41480aa35a1bf542df6a309d590a8d87674a41c7b9f925baea1f6832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003b

Filesize
32KB

MD5
673269c477f35966b5031f665816d043

SHA1
d082b1a27742e92a108112c2473a43e73cf5618f

SHA256
42008d6a28b6ea01964980c7691aebb91b93cbb5f8ae8b2668c94d1483a225ad

SHA512
423c2dccf173a1a193138f776befda7b708f5fbd0b4fd09bd278954fcd87d2510d73ec6f5bd0a3133e9e8f946c256ed26040125694c1db6d7d57cb4cae5af4ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
8bc254ef6a8b1968431be4d206e3bbbe

SHA1
de135f4781449ab14ed914a3d0750a906e05f985

SHA256
7596512a50758657192e59ecb0410dcd2dbb0e5c21b5db41f71df3ed9e373da7

SHA512
1a0c96cd553d70794b7f63bf1aaec020a57b5463417023756e4d40bdbb18b8afdc902b8bb8b647eed53ad7b003c0e63c0be49bd35c1784bcd01161e0e7bc9d67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
547ddc4218ea34d0de9b112849ab9dba

SHA1
7ed7761173cc6bf85c84fcc141061b7f65e1b284

SHA256
66f2f99a3f445e2aee3ffb58b661ba15bc9ffadc9df58147d5f5f13290dc3fb3

SHA512
3d364a9d24198a31e2d9a9470ee98744874193463100c3b89a361a7f955366f9ef05d011fe8631e3265bfe3e7b94d6d3ff547928705ef4038abd512f7032508d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
64e6e544c8b55a19459e341658e99ad5

SHA1
fcdc8d2017b8330d7358462d53eecce34330774c

SHA256
c2b298199bedee0f9049a5dbc96240b2e3582175ab1af72a8f7d6117ba00c168

SHA512
5d529ef0e0058dc5228fec4e6447c42f7e09e6059f8b27aa6fa62b435234c04c31ab5aba715a050efd46d2be5ab2d47198547ae9bb8c20dfb60f982503748c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
4ee84f4ccfb760d582e2790e40fbb852

SHA1
6cf2f4ca8d9c23d4bdf102a8b5ecd2984136864a

SHA256
12b7dae6127cb24a7c532825b473ddb9014db0e3901afa9d294bdeb56e742a50

SHA512
2ec33367b69482ed17f7a239fc8ec578937ce564741860d421fd1daecc98d3ba9460e9b0243bdc974b529fd52e50e05fa3ac342a91964e870bf0392aa4a90012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
55978cfac8ea3771e5cec5a1b1449735

SHA1
d50371376180154a7b3b0fdb87f6a3d3463b0305

SHA256
2db030448a3813125189e8203f2b170b6278d57edc57790972144740a7b64822

SHA512
734058c44f6bf757669a0d490c5c4d9990bc16c1ab3d139bec4541d0d4bf1df43423ed51bb481b826870cf06f8517e0fb659f081a03788a63f2eeee1240f6038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
3799847298bfcc78b527b0a60b6a0724

SHA1
bbe4da00413219cdb1fdfbc802c661c14e6c30ac

SHA256
00e969d11f5b98f7c2e85036a12c2d1638f86e7868d48d339ce9fee0d7cb7357

SHA512
27e14c517a32067f8e1a3e2e44d9da460692b1400824422cfd5c2118a09ec78edd82a224bb0dc271a2c81855896d4483e56fba058104fc92dce75545b9d516ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5888dddf0e4c26a8f4a63547d5b35749

SHA1
c4693815862900801c6c17858cde2c0077f7803d

SHA256
0ff1d588c2467f8b23e6bdc0c2d76d3ec23d83889e7669677eecf63aec9d3e37

SHA512
936a93d31bb3600184582efcb92aed64a5344fd31020d290bee86eebfc9e6252eb5ed0f869201795d2417934653961cb6a5c133ffb68518abe4283d1a0445526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f516478d06ea72cc4d85b6677cb88eb

SHA1
d731dffc53ec21311d9ab1462de48f2b4f4654f2

SHA256
f23be185d516b4a87dea3d332dbcbca1cb0446505d2c889c4c298b38e413a69d

SHA512
83c3985171b61d11ca690ee6828d04f3fef123db4ab819f3a190a5bf5dc824328288ee20a0ceca8673a1b7bbc59199fffb753a8bcd076c6e3469766043dedcf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2e0ed43bf765cedda3f6d177d291d9b2

SHA1
4900cbf16fa721bf8b0fef41c56b7a7e55623c1d

SHA256
2d23c7887397669a75c8f957c603335b0773b4441d216e9d9fe92a79b34ebead

SHA512
acf8a41199ffa11274afb70426bb915628800f84ce6314e4ed816eb519c49b0f557b10ba12e7ed61bef4636addc6c5bcbc19b70adc6ce2c44006debdc16e03e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
2b2da0a57a15a324694ac3345428668c

SHA1
c5e9bc4de3d79cefb708189ad3a959e2e7a31497

SHA256
ff528cfe11e2f4562a6b9eb25296b193876c7bb50925851d53983faec918ff72

SHA512
3fb97f8adacc3f26f804c138330f6fdb99cc664333a883922856453e35dfdc3ba8b8e05cc66980e400ab56e33adc631c6b1e5c404660c4bbaa8f81750639ca93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7012edfc3d7f19decd79c30d69de5980

SHA1
46b362a08157351bc11278478801591614baf3b8

SHA256
d0a37cad36a283e01b412b1728a4b02682cccc183cc1300f645fcdea549c3ffa

SHA512
e871e629cf4d1700aa8560ae723e2c02c8586939ce1d608cad267fe87d986805fd936a61660103cf0c31a1fd206f69c81775ab22ff14a429a436dda33a8c1b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
780693354b1d643c87cce34eeae39e4f

SHA1
53aface9e5995ef5d6fc7f0e9f6ed3cb9c00df5a

SHA256
6b6196f0301f02811a05bfda4e5fdad3418ecd9227e9a038ee98323bc027b544

SHA512
c174987fe3a803279da7887af8e17f59090c484c85db8cd46e585676dcaeee4554b7cc9be278e68bdf6ac23b6dcd17f9292846a4102a103e4c2626b610726569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dab44de70a9be12ce7fed94e93e3f38c

SHA1
ce72757bb83fd2007ebd327531e02809d62a528b

SHA256
40ddb676afb5df8e01f29510153e83e91f03ccc1c6ebe98f19554a6399a4c8dc

SHA512
9dc1f36318fe10971fb2c253668f3d9b56ac81fb34fb20a3b1dbffe1099a9a709a79d877c9566bda4b7d0760b26c1a48593fc2b00ab1e369cded2654c8f14fbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ea88a854-d046-4ff0-9e90-7e856eab5996.tmp

Filesize
520B

MD5
e010fca6107cdc0eca4d534a6cc74cb4

SHA1
95cf76947f68e1d645db21fc688ec6fb971535f9

SHA256
a29f8f11116a9cb466028c369d43215ddcc7296e69144e726a1b78bf1b9006a9

SHA512
0d9432f582a9000d4c3c84b560ebb4534ef6d5cd21cc064b124bc1dd3d2c96b51a91de11d11ab5764a618a93e44874e6c3de8edbcbfe0a5a9b405d58915b7190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
533edf0f7df9629af1b6680795889f6e

SHA1
328b7e89226e491890513d4e2cfc7e9743549b29

SHA256
97d5db396754e76224f2c64f0379a23c2a082d8066401ce0f4a8b8c03aaaf346

SHA512
1d042a1e62f1d4591ba24085851758892bc17eb56c4c4c1fcd3971275f7aff5684071195d7fdec4d3f3a21b8ac327debebc1e2dbdafb5e495756b1335e83032f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c3ff7f565de2c4ee051cb7cda740051d

SHA1
2b8eaebd2f4d91df27284cfdb3b9215c7488cfb5

SHA256
5319acd8eebab03b47ac434dfc0675b908e5b9f8bfdf388bdbfc733382e197d8

SHA512
2f39702d88a4b55169b2750a05f09c44db19b1edd70497249b2689caa1c92ff8c1e0e7fa883aa39df0da883bd025ee6a1a5dcc2fb356efea16d03e41da2e8941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7056875368effe9e75623843331bbda8

SHA1
95874d465b76bd6d0343c91997562eec02eec164

SHA256
68a6b851683a276ed5fa8c4e08bd9e026870b70a02c4a9cf62b029faf38d6335

SHA512
78c628b7fba62377473c00c5361351a3583eef54679764c40bda716a8292671d60e93da56a557561738f85511b6957add660b9b545f503f393721ac1a70ad9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
55d586674288732f9ecc1328443a74fe

SHA1
83d2a472690c4ba945934673c9238045327decf8

SHA256
fb36c96cc127b8ed870e4a491df927cab94e30f292faadfe2e3a9ce4b7fb9033

SHA512
7b20affe7716b30b83af08f6a53a3f8a976d796c2062416eb3d785d6f7e6b2176a7a56cb0164470769aa49c108611440a5b2dcce5cc4831e0a3d51b6e68af2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
8d0e2fe56030688aaf8a06710faf4916

SHA1
85597d3f8d73606a44eb0a9d66fef7e987e4a567

SHA256
1387b0df336de3feb263dae91fd844227aa63a913aca6c14ca6a781d06d4403a

SHA512
fdfbc0ab97236e83dc7e3d39bbd2901619d88e0d026d43548dd0774c607b93604548cb604b9087f62d8788014f54c788f079da5b1f608e7a05919baf678a895d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be9edd7fa57cd044b0dbb98955d0bee0

SHA1
ca498e2d309c54c0fe46a3acc5e988caf4f136c1

SHA256
c9274773f631c8c235476cf391eb0d7891c82e3dae03ef1cfe9bfea3d6c70bae

SHA512
429033f62b3a6d4a48bb49b97e0536e47eb66d8780f51ccb9c6e2d30306f33b9961528cf18b591ae070d8870c257e3e1bf4f6b57ef79614909286ae3e5742f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2a617ec156db878e850a228312cdf478

SHA1
3f33a695c971518749187bca805278bca7a5a9be

SHA256
0581aab2765aabab354779c90760063f277cdd07511f2d8adfede6e10f90ee61

SHA512
a1bf42f9bc46d14b8463fa5abe807c0f474740ae954f6cfec90dd8b56b9ade56239069fa461e1b2b8e29e7e95223d41d001ae49d265d9775e138c7765a764e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
66b45dc9fa13616767cd66dcde3bebcc

SHA1
ca8ffd6cb73b735f88c7dbd30172b20049793797

SHA256
0f20f1cba8428f4ac162064ef6241b0930abd19085146503dabc180accd6ab9c

SHA512
7ce93af08c7050db8623fa8788b109f2de24d4b6226978e79313fb872beb168f7800840961db7fbd7164b45040976f75fd1180f08e58215ff5091af3a71a43af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
4741e73adac72bdc87a55843e10cdc82

SHA1
58bdf87b6ec81ddd82ab286f28070a5cf72c8192

SHA256
9f2efd56ab1438609f254e96dd13b7d699de739a4bfcbbbbad2bf99a4a4d6652

SHA512
7e6c6a4b292135fb3ba92f21467b1bd0c35d5934c648a1731d56578dffe9649a06fd094a55e57db15daf60f79131c9e46d28457cb7a59f5a8410ba856c5cf93f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
02f6bbfcd91fc0afa4f50d56631eb874

SHA1
64c9b7f173f25c70504e704a8de9012b3c50e0d1

SHA256
149a887655cffda522105c08fc26698feb65afce2cb1a1eb6b061c01aa6a2b3c

SHA512
afecbe6688a8a56717dad674752f7c3b6f0e13ff6a5d278cd38aa5e3c0c05b136cb6f80dbc2edda33c68b6cf606b114a9cbc6e9ec0e6b0f096ce5cec019c2ba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8fd0521f269c290b3109c4eaf925ec0c

SHA1
c3f3d99dcfa2ec65b4a14a1e2615aec13dd614d7

SHA256
3abe697d8ffaefd9ad244779ee848fdb906e33b06ee8f274730c6ee3ac613fa5

SHA512
c58c414382dfd55cd094c8eec979dc9a015e458727170d0c85af8d4b34e8fcdce769ad4aaf63e6e83e24cf6e11299e7a94d31ecbfa6a9a31b0d6c306367f9cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08eb9c52354a7c8e9a02b9c965917561

SHA1
505f3e773b5dc9929b62993e077e100692651f50

SHA256
3e413a8245f0436fa33adf3f2ff89b6de7f6d1a5e415593ffa4a5e73825c1470

SHA512
b9e8ff369301163b38629736292bdb95479590f9749415969fd8bc8494f27eacf554c24c88dcfca64309912048860eaf7d823a1311f1b5c7399ed8b861debc29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
317b26109f1e39fd800f6969a8d1f20c

SHA1
d658ef951326a9fc6b0e4fafd1155fa1b14e673f

SHA256
5df29badc895d11107e8ecf24c341c7c38eb5b9d419ceb4db6aa2d03688c92e1

SHA512
eb346d87985a71d630131f99a6b29d6cfc5d17a9937e32b5f0bafa038617ac60180769c9b5abaf17483677a7253579f02cbc3980907837a49dcd2952efe4786d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
579b2b9d46674e736de5346b2fa33275

SHA1
909995ee3f421c92c96245f27c8b23914c23959e

SHA256
cbecf644d0f7ab809a978b7ea4fe1a514c37a9fc2f287c2ce63d694959a24796

SHA512
e8a06a2a46ca1f3ce1624df2639e5e8835e5ae5fba75136fc8692d6946d063194d75e4d8c9e27a07f65c751c457041b1fee274dfed8aff87ac4ed0327a0c1db0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e678a923a6bda8df41cae8904ede477b

SHA1
dd576d58cf7b0563c834a4d431add07fc5f6e75b

SHA256
5fa0deb908665fbeac2b0401adc7765806bee8bc1ed2fd2786846a1383736e4a

SHA512
a89c2e87a8e8987fc344a5395aac5cee60bcb9d019f78a977c7313c27a71d310ca862bf288d969f536aae3b5069db2913ad09feab5685d59289e40e631a6f3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
cdd78db0dfee7898b28842d10f624580

SHA1
010a4ed4a8555828772e4001c3db0295dad344a1

SHA256
13a1681cd8cefee02f6b933f7220ef8f537a0953e510ad554d68695cdb3e2c2b

SHA512
dc21bef257673d76b7b88967fa86bc1e6e6324e134a04a4e346714c7a468c3e71b0229532468f51c180f7d0c3ca2dd592ba327e69b568d9d3082029e794c21d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
a8395f4207c835043c8e51700fa67ae6

SHA1
ebcba42018e248720b382f3a7b3f5bec6c0544e8

SHA256
83055a37add463cb6f793e09b229e8927768fa1574a12d30ca915a731d46b93e

SHA512
0e22d5d8532fad359fab34d92de2921ac5bff3c25f8210013c697798ab530009c510e955769f58f8575027f64d688cccc4e34a6eaf2c862cddf4745300a18c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8ebe1b21-b65a-4345-a3ea-d9b73bb8ecb8\index-dir\the-real-index

Filesize
624B

MD5
1cb3c3acb9bd24de5c067caeba67d985

SHA1
f23a6b45f0fd09ca11173ae7f1910df258968c91

SHA256
c71febd4af7ebfdef48bb084ce0d591fc5adc554b9b039f5ae85ede89684ab00

SHA512
74087ee77ae3c2175f8f7199e1ac1fca5da9e66619d6b13512f9ad5e73834da2f71d763a2ba146f0d1bcdec2d251e3ceaf3f26db7a821faeb77afa6b77da9f1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8ebe1b21-b65a-4345-a3ea-d9b73bb8ecb8\index-dir\the-real-index~RFe5a1677.TMP

Filesize
48B

MD5
7cce0f24b85bc9d6b6e08de5258bb953

SHA1
77565dd7f5e17f5930696f263ec96b1ad118ad4e

SHA256
4cde9adb6ec7463027793b7a7ab35bf4e458385b803f7239942f62eda585c40a

SHA512
37182a3458ca4039308d64c95b66d6c5f7998b66b9faa2b1449791597e36f8bf9484e2b8e50825385ee77af1ab8e2def3a414e342ed48734b8b65d8b41e00300

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a0bd462c-f51c-41e4-bf6a-90f1c0642566\index-dir\the-real-index

Filesize
2KB

MD5
748ba26889d19f4cc841ac2e7968943d

SHA1
c529ad2e5b146b0353da998729168508accd4fa1

SHA256
c3deaf5fce8ce910509fa36b15f0d580761fcc8b2912a3b8d747303812e69a5a

SHA512
ee02152cfe0ac736a452815b45ebe07b9019ad7a4f43ad5d2a50b53d195a69ec000b4fe081773fa10d795a0bea6f33b9c9f146e94ab6428a78299d10cc928a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a0bd462c-f51c-41e4-bf6a-90f1c0642566\index-dir\the-real-index~RFe59b387.TMP

Filesize
48B

MD5
5994e79fc16056bd57afbbc50cc7f55c

SHA1
17ef35be85ad92d4e52a7e6f5e0ce6f5dc8cedfe

SHA256
5fe2f05f1435bf7fd1f8e2b787fca252d1e30157d2aab07d5f6f16d61f81578c

SHA512
17234f72cd809e83d81498c432f5201c2f0976ae3ee8847af1f321d77750edc4c913a3b2c881d84d9d8877691c019a121b2ec09279fba791f611ae816926404f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e108d123-db22-43de-8908-7d43a7346871\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e108d123-db22-43de-8908-7d43a7346871\index-dir\the-real-index

Filesize
2KB

MD5
2ba0576f8adb3716f811b93e11503219

SHA1
ef2700fee0248acb3c16c29324b832fa347105a5

SHA256
eae88b66abdce5856f529fec25de032de69a38940e6e4f853e381aaf7295c600

SHA512
e2d6690dbc435b0990d3e281a2f66f349101d79e269fe32be534d33f4a9e4299dc9d7d651ee791b060707c940160088652d55636accfa3bd92e006110f7835cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e108d123-db22-43de-8908-7d43a7346871\index-dir\the-real-index~RFe5a1c53.TMP

Filesize
48B

MD5
706f558e0fc8af10cd3f2ab4c7dcdc19

SHA1
64a317f22c6956507c53c44c3974bb077107ceaa

SHA256
88dd842892d5dc96ffbad14525c491624748ad89dd5948f404ac81cd81da4f1c

SHA512
184ccc38128f56bee6c6c2d6e59193ab8eb8df59d0262b226ad1eb5883f0730e38ee3ba999674f2d10682a47e80bc7b6bd9ce70ddf4fc9ae27914c45f6df6fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
a1a91209b5a82445fa4a436736e294c5

SHA1
c397dde8e3cdbed821ca86bd66189402860d5ccc

SHA256
268bf84d0900f2d17a2b4a863f844aeafb25bdb26d9375eb2747b190846d5dad

SHA512
bf9e7467dd2a1ce90d1193993f2229516e849fa92922fc9b5c86e1aca58b580391a834329462d9e60682b5b916282d04f8116712e73a1b27a3d4b1069867155a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
34a46799d7e24d3048d32043d8a0788a

SHA1
99e1f6675a1549587d30cff938992187179c0c51

SHA256
1dfeaa6830b225deb11bcb380ab45626d429fbb7d5f1b38d5b0c1160750d2705

SHA512
65e5284fcba81c4e8be1657b1ffb311e191683f377ca8cae88fb0d3b4b179a84d92c63eba86024e026a5b64d68f468150524735efa348369196058e2f02dfd8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
119B

MD5
3f72fbac3101364d920f048774bb54e6

SHA1
41f0a7e0c298a627dfa7702e1c99db6089129a63

SHA256
5f982810c5c2540b933f9bffc5f8ca4e0b05cf14e21b0298475ffff3c1a9ef79

SHA512
708d14c74e761250c1073707a8e31f7f5532b0cfd85027ce0c9339b9c48a6711a05e330943a53f0c0508a15266c631f90916a14e8041ac050d0d9970367284dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
08e0ee1ae8a35b98d3e29634ab0a66c9

SHA1
d2cfda69d9c71a51ba70dea82a1a8505548c3592

SHA256
43a20c247e31c48301d96bdeb0c7153764f9b9831303ca890de4b1e2c0619ce4

SHA512
46d2fda40d11fe1975ba41fdce3bc39271baa0e0e834efe208992b7311aeb76afb8c07d084674bf4754828e4340cafa7498df640b181feb547abf53d99b52aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
2516e348083393cdac69c48209867f07

SHA1
ed8e6e99e6ce262dc4fb7639bb0db01df76415a2

SHA256
c3a9b7a957090afd94afd59182f568cb420e89dce867ffb59875641173e1ff42

SHA512
1d910e68a604fb5c4ad322e7850b8c312d7fd7cfa5a7ba93e996c5e7530c36ba228f269ed11c533487b9126598b7bc6719ed3cde3251eaffd229879431736338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
3f2acf0353da518d1401a4f997979371

SHA1
387045a6fd4048ceb08b2ac3c9abb60bdee59aee

SHA256
c4eb0c778915a5012e3ed8797590f7ade851b79bd2afe4fe031b19e40de06ce7

SHA512
df53759b941f6774681009b61cdcfaff532e662511f044374c3af911d8a92c7ec7a535b8f9fde1fdf67b89922d4027f106c25760e5342088d9c871e88e41ed41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
8a5f1c6e6eb1b1e818c98aa42fff61c1

SHA1
ee8ac35acb3374772134e372c3c83deb0c15b04e

SHA256
580f4240e1bd99862481b38226dadc9b6e6d41f4aee57d3e3ec60e5af1dcf598

SHA512
2d4cff5aa69769f56d02127ee0b6dc6d3d69c58721466dbb853e85c19c4502bb14a798e943835cf2f3fa52d426134416f5a6a0b7155169d85a2424dd93057004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
b6f48def1ad0dc727f479ce8ffec8a6b

SHA1
488a3d7c23f20d7c90d9cd3010d31836d67b4028

SHA256
88b9c140ca5cdbc682401e0cd009ef606ef17510c596d69c12b629f720543aec

SHA512
ff657c31fa12c36894ac6002bbc33c3263739b9727aa255687ff9299087d47b2a6b390cd0bb6ce588b992c245e497f5e9178de97bec3c72a2d696160dd9f3a9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe59a83c.TMP

Filesize
119B

MD5
a3a04c8fc2a40cdbfe738a294558ff27

SHA1
cb9b856e408ce304a1cb2c36c96d8402d955a6fd

SHA256
547fff55da50f709a1c492eae336655026686af8fd2e019f7fcdda5241e52232

SHA512
6398bc09ba14cdd08e6a1dcd9be3d3369dda2e3bf07d6c8541a1af562b932697eea75e7e1e17155cb220aa37b48511a361191e149e5b2a9ea64f3dff3eb72395

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
2d2bab603e88174f5d8d28a3731d5754

SHA1
be6a0c40e193739dbb61845621679d596336729f

SHA256
378c44e40e8924da36d77d87e8bd65b176102205c9833324194ba09f893d79e7

SHA512
a7c2181a51c15cb04ec6d7f8f1507a472b178c4d5ca8355d134b4d6ff84e681d8a0ff5e8476744e46feba5809e2cf6d540cfd0ef26d7890f8e6e12558ed2ae53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5990cc.TMP

Filesize
140B

MD5
f02fb5a513d9a74d6b41a5aafd3d3bf8

SHA1
5f9b618d0b22a9c5c5cabf1d464fe43ab7b0ae9c

SHA256
c733f84b3154e0b213607ee625ab7c9eb44d567df42253e5e748811dd964014f

SHA512
b3c38bce91d69c7379c2257c5bd5d534234e075784117480a6a34aad4ffde9f90194dbe1b416aadc80130ef9b9c49b3b8cc6e926e569b7238ea6626530b868c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
84b6e04cf29db7ec930540466135bec6

SHA1
8fd01359941333d700373d614d93b7f6cf0c2918

SHA256
58126aad50995c726ca3033a626be137e7672948aa7ffc4fa1862c7f09470725

SHA512
d170478d695665026099f94d05c9ea60bf087f76984f7f8c7eeead84ccf0f598fe0c8161a11eec83057605e0f4816a265ab0bed3e6a437992f0202521dade82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
bd0014f7c514e7d5d9bf50d0ff3a073c

SHA1
b0a1ab39df2927dc11327d0e7415f71eece4dc12

SHA256
0fccbf7b21addfee04f8c0f96d58a8225bae7d0863d7e75492bb78b73cf1f511

SHA512
2f4a6eeffa4521dddff6efe4b70552d4047967d8d60da8414ce6f7660192d2e87e370fb0c083f3d64a3e1338f20eeb17ff6c19115a13d69b590866db54287384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1dbff44a68d3217de851b7029dfcd40a

SHA1
8407e0cab5ddaeb5bd7f5251a0661cb22bde9232

SHA256
3c8606e0b5d87db1bd93abd2e5122b443fe88a103512fb14ddd86fa9ae2bca37

SHA512
c4d46dc7da8c686cd3294c7b706a75e1a6e74a3ff6d3cc73fcc59beeb314f2fd072bbdadb54b05e722dbb6ce7f07cf2c40c67ad96a4a9d0fa067d9f27f572d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
10bd3fc76ae8c491da97a49a3b05e2ae

SHA1
e0db45a071ea7e62450ae22531c26d39004c35ca

SHA256
070f2287baec66096a53ce503f14b8f2cf1015baa0142c173e7f8e00301e73d5

SHA512
1d2916437f3663c520395dcc772c0a3eaf69f1d3bb71416865cfeebd2cab72dfdd54c87ad6bc9009dec503efb4f0416d69e6e336f790f743a272705d4442e972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ff1b20bceb7a69708f020dbccfc1b5bf

SHA1
b4515037c54ec0925b0103bed73fa3f61494c390

SHA256
24b2ee74e4a765dd2ebd757b4311627db740ca900b781dd527c0c5a1296d415a

SHA512
94f89f90c59af8c4afe10cbfbed84f6329050835a5916bc9ae0c081fe7933e60f8d6eefdf0b7e35813930249ad50fff6367efc81400c09bb578f47370b55f83d

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 4798.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
\??\pipe\crashpad_1764_NWMXUEQLJBNTSOTB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5548-1672-0x00000218E1600000-0x00000218E25F4000-memory.dmp

Filesize
16.0MB

Download
memory/5548-1682-0x00000218FCCE0000-0x00000218FE26E000-memory.dmp

Filesize
21.6MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads